diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 0f49213..cd9f552 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -87,21 +87,24 @@ jobs: VCODE: ${{ steps.version.outputs.version_code }} VNAME: ${{ steps.version.outputs.version_name }} run: | - if [ -n "$KEYSTORE_BASE64" ]; then - echo "$KEYSTORE_BASE64" | base64 --decode > keystore.jks - ./gradlew :app:assembleOpenRelease :wear:assembleOpenRelease \ - -PversionCode="$VCODE" \ - -PversionName="$VNAME" \ - -Pandroid.injected.signing.store.file="$PWD/keystore.jks" \ - -Pandroid.injected.signing.store.password="$STORE_PASSWORD" \ - -Pandroid.injected.signing.key.alias="$KEY_ALIAS" \ - -Pandroid.injected.signing.key.password="$KEY_PASSWORD" - rm -f keystore.jks - else - ./gradlew :app:assembleOpenDebug :wear:assembleOpenDebug \ - -PversionCode="$VCODE" \ - -PversionName="$VNAME" + # No silent fallback to a debug build: assembleOpenDebug is signed with + # AGP's default debug keystore, and nothing downstream (locate, cosign, + # publish) can tell the difference, so a missing secret would ship a + # debug-signed APK under the real dev version. Fail loudly instead, + # matching tagged-release.yml. + if [ -z "$KEYSTORE_BASE64" ]; then + echo "ERROR: KEYSTORE_BASE64 secret missing - refusing to publish an unsigned/debug-signed dev build" + exit 1 fi + echo "$KEYSTORE_BASE64" | base64 --decode > keystore.jks + trap 'rm -f "$PWD/keystore.jks"' EXIT + ./gradlew :app:assembleOpenRelease :wear:assembleOpenRelease \ + -PversionCode="$VCODE" \ + -PversionName="$VNAME" \ + -Pandroid.injected.signing.store.file="$PWD/keystore.jks" \ + -Pandroid.injected.signing.store.password="$STORE_PASSWORD" \ + -Pandroid.injected.signing.key.alias="$KEY_ALIAS" \ + -Pandroid.injected.signing.key.password="$KEY_PASSWORD" - name: Locate APKs id: apk diff --git a/CHANGELOG.md b/CHANGELOG.md index e6040e1..7ab42c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,16 @@ uses semantic versioning (`MAJOR.MINOR.PATCH`). ## [Unreleased] +### Security + +- **Your data no longer goes into Android's cloud backup.** The phone and watch + apps now opt out of backup and device-to-device transfer entirely. Previously + the local cache (members, groups, front history, messages), the offline switch + queue and the watch's stored session were all eligible to be copied into a + Google-held backup of your device. Nothing about your system leaves the device + now; everything is restored by signing in again, and a watch re-pairs from the + phone. + ### Fixed - **Signing into another account no longer leaks the previous account's data.** @@ -92,6 +102,7 @@ uses semantic versioning (`MAJOR.MINOR.PATCH`). one. Applies to every importer (Sheaf, PluralKit file and API, Tupperbox, Prism, OpenPlural, PluralSpace, Simply Plural). + ## [1.2.2] - 2026-07-11 ### Added diff --git a/sheaf/app/src/main/AndroidManifest.xml b/sheaf/app/src/main/AndroidManifest.xml index 7305791..834b504 100644 --- a/sheaf/app/src/main/AndroidManifest.xml +++ b/sheaf/app/src/main/AndroidManifest.xml @@ -8,7 +8,7 @@ - + + + + + diff --git a/sheaf/app/src/main/res/xml/data_extraction_rules.xml b/sheaf/app/src/main/res/xml/data_extraction_rules.xml index aea76b4..5bf1284 100644 --- a/sheaf/app/src/main/res/xml/data_extraction_rules.xml +++ b/sheaf/app/src/main/res/xml/data_extraction_rules.xml @@ -1,20 +1,35 @@ - + + + + + - + + + + + diff --git a/sheaf/wear/src/main/AndroidManifest.xml b/sheaf/wear/src/main/AndroidManifest.xml index 785c8c6..869eb11 100644 --- a/sheaf/wear/src/main/AndroidManifest.xml +++ b/sheaf/wear/src/main/AndroidManifest.xml @@ -8,7 +8,7 @@ - - + + + + + diff --git a/sheaf/wear/src/main/res/xml/data_extraction_rules.xml b/sheaf/wear/src/main/res/xml/data_extraction_rules.xml index d2d21fe..3ef0943 100644 --- a/sheaf/wear/src/main/res/xml/data_extraction_rules.xml +++ b/sheaf/wear/src/main/res/xml/data_extraction_rules.xml @@ -1,11 +1,33 @@ + - - + + + + + - - + + + + +